September 2, 2014

In Brief: Adobe fixes at least 26 security problems in Adobe Acrobat and Adobe Reader

pdf_icon(LiveHacking.Com) –  Along with its update to Flash, Adobe has released updates that fix at least 26 security problems in Adobe Acrobat and Adobe Reader. The update for the popular PDF file reader and its companion PDF creator is available for Windows, OS X and Linux.

These update addresses vulnerabilities that could cause a crash and possibly allow an attacker to run arbitrary code on an affect system. Details of the bugs fixed are:

  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, CVE-2013-0623).
  • Use-after-free vulnerability that could lead to code execution (CVE-2013-0602).
  • Heap overflow vulnerabilities that could lead to code execution (CVE-2013-0603, CVE-2013-0604).
  • Stack overflow vulnerabilities that could lead to code execution (CVE-2013-0610, CVE-2013-0626).
  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, CVE-2013-0617, CVE-2013-0621).
  • Integer overflow vulnerabilities that could lead to code execution (CVE-2013-0609, CVE-2013-0613).
  • Local privilege escalation vulnerability (CVE-2013-0627).
  • Logic error vulnerabilities that could lead to code execution (CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, CVE-2013-0614, CVE-2013-0618).
  • Security bypass vulnerabilities (CVE-2013-0622, CVE-2013-0624).

Affected Versions

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

Adobe Reader PDF zero-day exploit selling for $50,000 on black market

(LiveHacking.Com) – Although Adobe added sandboxing to Adobe Reader X it still seems that malicious hackers are find ways of compromising the security of computers via specially formed PDF files. Russian security  firm Group-IB has announced that there is a new zero-day exploit for the popular PDF file reader which is being sold in the underground for up to $50,000. The exploit, which targets Windows-based installations of Adobe X and IX, has also been included in a modified version of the notorious BlackHole exploit toolkit.

At the moment the exploit is only being distributed in a small circles of underground hackers but, of course, there is every possibility that its use will become wide spread. The new unpatched zero day threat allows malware writers and bot authors further opportunities to create new attacked vectors by which malware can be loaded into a victims computer.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” said Andrey Komarov, the Head of International Projects Department of Group-IB.

A video showing a proof of concept can be seen here: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be. As the video shows, for the payload to run the web browser needs to be restarted. This means that the malware might not infect the PC at the moment the PDF file is opened, but it will most likely succeed at a future time whenever the web browser is closed.

“We saw the announcement from Group IB, but we haven’t seen or received any details,” Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email. “Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Brian Krebs has pointed out that Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including FoxitPDF-Xchange Viewer,Nitro PDF and Sumatra PDF.

Apple Updates XProtect to Include Revir PDF Trojan

(LiveHacking.Com) - Apple has updated the minimalistic antivirus solution included with Mac OS X to detect the PDF Revir Trojan horse. The Trojan, which hides in a PDF file, infects OS X machines with multiple pieces of malicious code, including a backdoor.

The PDF  document itself is taken from a Chinese article that was circulating late last year and contains text related to political issues, which some readers could find offensive. The malware installs the backdoor, Imuler.A.

Apple added a signature for Revir on Friday to the detection engine called XProtect included with Mac OS X 10.6 and Mac OS X 10.7.

If you do accidentally get infected by this Trojan horse, F-Secure has put up manual instructions for removing the backdoor.

iOS Update to Fix PDF Vulnerability

(LiveHacking.Com) — Apple is set to fix a vulnerability in the way that iOS handles PDF documents and so close the hole which enables users to jailbreak their devices by using the JailbreakMe website.

Users of JailbreakMe point their iOS device mobile-Safari browser to jailbreakme.com and the hack is performed remotely, unlike most other tools that require a software download on your computer, such as PwnageTool and redsn0w.

JailbreakMe is an “untethered” jailbreak, meaning the user does not need to have their device plugged in to their computer while rebooting in order to keep the hack. Users may notice a line of colored pixels or other graphical glitches when rebooting. That’s because once the JailbreakMe hack is installed, it overloads the device framebuffer (i.e. loads itself into video memory) on startup, injecting jailbreak code early in the startup sequence. That graphical glitch is the jailbreak code itself!

Apple spokeswoman Trudy Millar says they are working on a fix. “Apple takes security very seriously. We’re aware of this reported issue and are developing a fix that will be available to customers in an upcoming software update.”